sâmbătă, noiembrie 05, 2016

Notes from Security Awarness lessons

Social Engineering- Cyber attacks can happen in varietate of ways including emails, instant messages, phone calls- Tricks to get attention to Cyber attacks: Free download, You Won, Pretending your computer is infected, Emails/Messages pretending to be from your bank.Email & Messaging- Fishing attacks come in form of emails/messages pretending to represent your bank - attacker email may trick you to click on a link, to open an attachment, .. which may infect you computer- Alerts to a fishing attack may be generic message in the emails not addressing personally to you- Messages that demand imediat actions- Spelling mistakes in messages - Using personal email address such as gmail, yahoo- Emails asking highly sensitive information such as credit card number, your password- Before clicking on link hover the link to see the real destination- Type the address directly in the browserBrowsers attacks:-Ensure the latest browser update-Do not open unsafe sites, modern browsers detects bad sites-Make shure https is used for sites-Use Only Aproved and latest updates for Plugins or Addons-Logout from website when finished the actions-Use Social Networks-Strong uniq passwords, different passwords for different accounts, 2 step verifcation to use if posibile-When posting something ensure it is posted-When someone you dont know posts something about you ask them to remove or report about it-Install Social Networks 3rd party application only from trusted sources-When there is suspicious post from somebody please contact them directly and tell them about-Do not post confidential information on any sitesMobile Device Security:-Protect with screen lock, password, pin,-Active Remote Wiping-Apps from trusted sources, read reviews, see popularity-Check apps permissions required when installing-Keep apps updated-Keep Mobile OS updated-Buy new mobile device if there is no more OS support-Never jailbreak or hack mobile device-Be ware of malicious links in sms messagesPasswords- Do not use simple passwords- Do not use personal information in passwords like date of birth, name, pet name- Use long passwords, use Upper/Lower case, Numbers, special chars- Use Password Managers- Do not use public computers to log in bank accounts, - Be aware of sites where personal questions are asked, answers can be found on internet- Use 2 factor authenticationData Security and Data Destruction- It is about how to store, process, transmit and destroy sensitive information- Use system authorized by organization- Do not copy organisation information to personal devices- Use authorized and licensed software- Do not use cloud services (drop box, iCloud, gDrive) if not approved by org- Do not leave hard-copy documents on desks, lock them in folders- Always lock the computer when leaving the desk- Use strong encryption when sending info over network- Use aproved external devices and software for storing information- Use special software to delete secure information- Always shred hard-copy documents when no longer neededWorking Remotely- Use only devices provided/approved by organization- Family members should not use work devices- Use encrypted channels when connected through public networks like VPNs- Ensure OS and applications used are up to date.- Never use public computers for work- Do not allow others to connect to you devices via usb, bluetooth,...Insider Threats (created by someone employed )- Someone asking for information which he/sher is not required to have- Someone caring large number of documents out of org- Someone transferring large files when he is not required to do this- Someone working strange hours- Someone trying to login in somebody else accounts or asking for access to data centers- Someone with strange behavior - Never share you credentials with nobody including your supervisorProtecting your personal computer- Your computer is running the latest OS installed and latest application installed ex. Word, Excel, ..- Automatic updates is activated on you computer/devices- Uninstall unused application- Ensure web browsers and thier plugins are updated- Use private/anonymous mode when browsing on internet- Ensure Firewall is activate- Ensure Antivirus is running and is updated- Perform regular backups of your personal informationHacked,You may be hacked when:- Antivirus generates alerts- Browser takes you to unwanted sites- Your passwords is no longer working- Your friends are telling you that they receive messages from facebook, twitter, or email account which you didn't sent.- Contact security team immediately when you think you was hackedPayment Card Industry Data Security Standard (PSI DSS)- Limit data access only to required people- Do not store sensitive data information - Store PAN in encrypted form according to org standards- Verify Identy of the person before granting then access to any payment card device- Cardholder information should be used only for processing payments- Only authorized payment system may be used to store, process or transmit cardholder dataCloud Services- You never know where data is stored- Obtain permission to use cloud services in org- Obtain permission on what type of information can be stored on cloud- Never access personal cloud accounts from org without prior permission- Use uniq passwords for your cloud accounts- Share cloud information only with approved people